
definitions = {
    "iocs_types" : [
        { 
            "type"  : "ip4addr",
            "regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
            "name"  : "IPv4 Address",
            "auto"  : True
        },
        { 
            "type"  : "ip6addr",
            "regex" : r"^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$",
            "name"  : "IPv6 Address",
            "auto"  : True
        },
        { 
            "type"  : "cidr",
            "regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$",
            "name"  : "Network range",
            "auto"  : True
        },
        { 
            "type"  : "domain",
            "regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
            "name"  : "Domain name",
            "auto"  : True
        },
        { 
            "type"  : "sha1cert",
            "regex" : r"^[0-9a-f]{40}$",
            "name"  : "Certificate SHA1",
            "auto"  : True
        },
        { 
            "type"  : "snort",
            "regex" : False,
            "name"  : "Snort rule",
            "auto"  : False
        },
        { 
            "type"  : "ns",
            "regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
            "name"  : "Name Server",
            "auto"  : False
        },
        { 
            "type"  : "freedns",
            "regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
            "name"  : "Free DNS",
            "auto"  : False
        },
        { 
            "type"  : "tld",
            "regex" : r"^\.[a-z]{2,63}$",
            "name"  : "Suspect TLD",
            "auto"  : False
        }
    ],
    "iocs_tags" : [
        { 
            "tag"  : "apt",
            "name" : "APT"
        },
        { 
            "tag"  : "stalkerware",
            "name" : "Stalkerware"
        },
        { 
            "tag"  : "suspect",
            "name" : "Suspect"
        },
        { 
            "tag"  : "malicious",
            "name" : "Malicious"
        },
        { 
            "tag"  : "tracker",
            "name" : "Tracker"
        },
        { 
            "tag"  : "spyware",
            "name" : "Spyware"
        },
        { 
            "tag"  : "cybercrime",
            "name" : "Cybercrime"
        }
    ],
    "whitelist_types" : [
        { 
            "type"  : "ip4addr",
            "regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
            "name"  : "IPv4 Address",
            "auto"  : True
        },
        { 
            "type"  : "ip6addr",
            "regex" : r"^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$",
            "name"  : "IPv6 Address",
            "auto"  : True
        },
        { 
            "type"  : "cidr",
            "regex" : r"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$",
            "name"  : "Network range",
            "auto"  : True
        },
        { 
            "type"  : "domain",
            "regex" : r"^((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}$",
            "name"  : "Domain name",
            "auto"  : True
        }
    ]
}
